Customers of American Express are being notified that their data was exposed in a third-party services provider's data breach.
The company notified the affected consumers that certain card members' account information was affected by the event; a copy of the letter was sent to the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR).
We learned that a third-party service provider that many retailers used had illegal access to its system. The notice letter states, “It is important to note that systems owned or controlled by American Express were not compromised by this incident.”
American Express claims that names, account numbers for both current and past credit cards, and other card information including expiration dates are among the hacked data.
The financial services provider states that it is “vigilantly monitoring” customer accounts for fraudulent activity and assures customers that it bears no responsibility for any false charges made on their accounts.
The notification letter does not disclose the specifics of how the event happened, but it does offer several suggestions on how people can safeguard their cards and personal information. The number of people affected by the data leak is unknown.
American Express has disclosed multiple third-party data breaches involving retailers and merchant processors over the past few weeks, according to the most recent data breach report from the Massachusetts OCABR. In each case, the credit or debit card numbers were stolen.
Since it's uncertain whether user data was just viewed or if it was exfiltrated through the third-party supplier, the possible impact of the American Express data breach is yet unknown. In an email, CEO and creator of BlackFog Darren Williams stated, “If attackers have obtained sensitive customer data, such as card numbers and expiration dates, they can use it to extort customers into making additional payments in addition to making fraudulent purchases.”
Update: American Express responded to SecurityWeek with the following statement:
“The incidents that you are inquiring about occurred at a merchant or merchant processor and were not an attack on American Express or an American Express service provider, as some media outlets have erroneously reported. Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts.
American Express Card Members are not liable for fraudulent charges on their accounts. We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity. If we see there is unusual activity that may be fraud, we will take protective actions.”